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Abstract 



We give an exponential separation between one-way quantum and classical communication complexity 
for a Boolean function. Earlier such a separation was known only for a relation. A very similar result 
was obtained earlier but independently by Kerenidis and Raz KR06 . Our version of the result gives 
an example in the bounded storage model of cryptography, where the key is secure if the adversary has 
a certain amount of classical storage, but is completely insecure if he has a similar amount of quantum 
storage. 

1 Introduction 

From a computer science perspective, the main theoretical goal of the field of quantum computing is to 
exhibit problems where quantum computers are much faster (or otherwise better) than classical computers. 
Preferably exponentially better. The most famous example, Shor's efficient quantum factoring algorithm, 
constitutes a separation only if one is willing to believe that efficient factoring is impossible on a classical 
computer — proving this would of course imply that P^NP. One of the few areas where we can establish 
unconditional exponential separations is the area of communication complexity. Here two parties, Alice with 
input x and Bob with input y, collaborate to solve some computational problem that depends on both x 
and y. They want to do this with minimal communication. 

Examples of communication problems where quantum communication gives exponential savings over 
classical communication were for instance given by Buhrman, Cleve, and Wigderson BCW98 for zero-error 
protocols, Raz Raz99 for bounded-error protocols, Buhrman, Cleve, Watrous, and de Wolf BCWW01 
for simultaneous message passing protocols, and Bar-Yossef, Jayram, and Kerenidis |B.IKf)4| for one-way 
protocols. The last result establishes an exponential separation for one-way communication: it describes a 
problem (the Hidden Matching Problem) which can be solved by a quantum message of logn qubits, but 
which cannot be solved with good success probability with much fewer than y/n classical bits of communi- 
cation. However, their problem is a relational problem, where for each x and y many possible outputs are 
considered correct. Establishing a separation for a Boolean junction was left as an open problem. 

In this paper, we give an exponential ((logn) 3 / 2 vs \/n(\og n) 1 / 4 ) quantum-classical separation for one- 
way communication for a Boolean function. The problem is a variant of a functional problem that was 
already conjectured to give such a separation by Bar-Yossef et al. As usual in such results, the efficient 
quantum protocol is quite easy, while the lower bound for classical one-way protocols is harder to show. A 
very similar separation was obtained earlier but independently by Kerenidis and Raz |KR06j using different 
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techniques based on Fourier analysis. The outline of their proof was obtained in the summer of 2004, but 
was written up in detail when they learned in June 2006 about our independent work (which was not quite 
finished at the time). We thank Kerenidis and Raz for generously delaying the publication of their proof 
while we were finishing ours. 

Let us briefly point out some differences between our two proofs. The Kerenidis-Raz result is a slightly 
stronger separation than ours, since the quantum upper bound for their problem is logn while ours is 
(logn) 3 / 2 . Their proof is heavily based on the analysis of Fourier coefficients. It is self-contained except 
for an application of the Bonami-Bcckncr inequality. Our proof is quite different. Intuitively, it shows 
that if Alice's message was too short, then Bob has hardly any information about a certain string z that 
can be computed from x given also Bob's input. It is based on a result of Talagrand |Tal96| and a large 
deviation inequality for martingales due to McDiarmid McD98 . A small advantage of our result is that our 
quantum protocol has zero-error, while the Kerenidis-Raz variant of the problem gives a separation between 
bounded-error quantum and classical, but not between zero-error quantum and bounded-error classical. 

Another advantage of our proof is that it shows something interesting about the bounded storage model 
of cryptography. In this model, introduced by Maurcr Mau92 , an adversary has full but temporary access 
to some string x but can only store a limited amount of information about x. A and B have a secret key K 
available, which they use to derive a common string z from x (they only need to store small portions of x at 
the time) . This string z is supposed to be almost completely uniformly distributed from the point of view of 
the adversary, and hence can be used by A and B as a key in a one-time pad communication scheme. The 
power of this model is that one can show in many cases that the adversary knows very little about the string 
z that Alice and Bob derived from x, even if the adversary later learns the shared key that was used to derive 
z | ADR02llDCT0l| . Viewing our communication result in the bounded-storage context, Alice's message is 
the storage of the adversary, while Bob's input takes the role of the secret key K. Our result shows that z 
can fairly safely be used as a key if the adversary has less than i/n classical storage, while it is completely 
insecure if the adversary has y/n (or even only polylogarithmic) quantum storage. 1 

Finally, let us point out that both results can be modified to give a separation in the simultaneous 
message passing model between the models of classical communication with shared entanglement and clas- 
sical communication with shared randomness. Earlier, such a separation was known only for a relational 
problem [GKRWQ6j , not for a Boolean function. 

2 The problem and its quantum and classical upper bounds 

We assume basic knowledge of quantum computation NC00 and (quantum) communication complex- 
ity [KN971 IWol02 . The partial Boolean function that will give the separation is the following problem, 
parametrized by a value a < 1/4. It's a modification of the Boolean Hidden Matching Problem from BJK04 . 

Alice: x £ {0, 1}" 

Bob: an disjoint edges e\ — ■ ■ ■ , e an — (i an ,jan) from and a string w € {0, 1} Q ™ 

Define zi = Xi t © Xj t and z = Z\ . . . z an 
Promise: w = z © b an for a bit b 
Function value: b 

There is an easy 0(log(n)/a)-qubit protocol for this problem that gives the correct output with proba- 
bility 1/2 and claims ignorance otherwise, as follows. Given a uniform superposition over all bits of x (which 
takes log n qubits), Bob can complete his an edges to a perfect matching and measure with the corresponding 
set of n/2 2-dimensional projectors. With probability 2a he will get one of the edges ei = (i£, je) of his input. 
The state will then collapse to (— l) Xi i\u) + (— l) x ^ \ji), from which Bob can obtain the bit Z£ — x% t £B Xj £ 
with certainty. XORing this bit with the corresponding bit We in his string w gives the function value b. The 
protocol gives Bob 0(1 /a) copies of the logn-qubit state, so he learns b with good probability (and knows 
when he doesn't). 

1 In a way our result can be viewed as a strong extractor, albeit a rather bad one, where the random seed (the sequence of 
edges of Bob's input, described below) takes about n bits. 
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The following is an easy classical upper bound. Suppose Alice uniformly picks a subset of d » \jnja of 
the bits of x and sends those to Bob. It is easy to see by the birthday paradox that now with high probability 
Bob will have both endpoints of at least one of his an edges. This enables him to compute the function 
value b. To send a uniform subset of d bits from x, Alice would need to send about dlogn bits to Bob, since 
she needs to describe the d indices as well as their bitvalues. However, by Newman's theorem |New91| . Alice 
can actually restrict her random choice to picking one out of 0(n) possible d-bit subsets, instead of one out 
of all Q) possible subsets. Hence d + 0(\og n) bits of communication suffice. 

In the sections below we show that this classical upper bound is essentially optimal for a rs 1/yTogn, 
which gives the exponential quantum-classical separation. 

3 Strategy of the proof 

We prove a lower bound on classical communication with shared randomness for the problem of the previous 
section. By the Yao principle, it suffices to prove a lower bound for deterministic protocols under the uniform 
input distribution on the x's, the edges, and b (note that this fixes Bob's second input w). Suppose we have 
a classical deterministic one-way protocol with c bits of communication and error probability at most 1/10 
under this distribution. This protocol partitions the set of 2™ x's into 2 C sets Ax,...,A2°, one for each 
possible message. At least half of the x's must occur in sets of size at least 2™~ c ~ 1 , since the smaller sets 
together contain fewer than 2 C ■ 2"~ c ~ 1 = 2" _1 x's. Hence there must be at least one set A that contains at 
least 2 n ~ c ~ 1 x's and has error at most 1/5, otherwise the overall error would be larger than 1/10. Hereafter 
we will analyze this set A. 

From Bob's point of view the following happens when he receives the message corresponding to A: an 
disjoint edges I E [an], uniformly picked from (^) are given, and an unknown x is picked uniformly 

from A. As before, let zg — Xi e © Xj e and z = Z\ . . . z an . Bob needs to figure out whether his second input 
equals z © 0"/ 4 or z © l™/ 4 . We will use capital letters to denote the corresponding random variables. Our 
goal here is to show that Z is close to uniformly distributed when the edges are known but x is not. Suppose 
we can show that if the communication c is "small" , then Z is more or less uniform: the total variation 
distance is d(Z, U an ) = \ Y^ Z £{0 x} an I P r [^ — A ~ 2~ an \ < 5 for some small 5 (this is the bulk of the proof 
below). 2 Then also d(Z © an , U an ) < 5 and d(Z © l an , U an ) < 5, and hence by the triangle inequality 

d(Z © Q ™, Z © l an ) < d{Z © Q ", U an ) + d(Z © l an , U an ) < 25. 

But distinguishing between the two distributions Z © an and Z © l an is exactly what Bob needs to do to 
determine b. It is well known that distinguishing between two distributions with variation distance 25 can 
be done with probability at most 1/2 + 5. Accordingly, if c is "small" then the success probability will be 
close to 1/2. Conversely, since Bob's success probability on the set A is at least 4/5, c must have been large. 

4 How biased are the bits of Z? 

We will analyze the distribution of Z, which depends on the known edges e\ — ■ ■ ■ , e an = (iamjan) 

as well as the unknown x E A. Intuitively, if c is small (i.e. A is large), for most strings z E {0, 1}" we should 
have Pr[Z = z] w 2~ an and hence d(Z, U an ) is small. Proving this will be quite technical. 

We view the edges as being picked one by one. Since A is quite large, for most (i, j)-pairs roughly equally 
many x's should have Xi®Xj = 1 as have Xi®Xj = 0. Thus we expect the first bit Z\ to be close to uniformly 
distributed when x is picked uniformly from A. Similarly, we would like the later bits Zt to be more or less 
uniform when conditioned on values Z\ = zx,... ,Zi—i = Zg,-\ for the earlier edges. More formally, once 
• ■ • , and z%,..., have been fixed, we define the "£th bias" by 

fit = Pr [Z e = 1 | Zx = zx, . . . , Z e ^i = zt-x] - 1/2. 

x£A 

2 Note that we include a factor of 1/2 in our definition of total variation distance. This means that the distance lies in the 
interval [0,1], and if distributions P and Q have distance 8, the probability of any event cannot change by more than S, i.e., 
Pr P [E] - PrQ[E]| < S for any event E. 
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This is a random variable, depending on the choice of It is positive if Zg is biased towards 1, and 

negative if Zg is biased towards 0. 

Fixing the first £ — 1 edges and conditioning on their bitvalues Z\ = z\, ■ ■ ■ , Zg—i = zg-\ will shrink the 
set of possible x's. Let Ag be the subset of A that is still consistent. Initially we have |^4i| = \A\ > 2 n ~°~ l , 
When we pick the next edge {ig,jg) and its value zi, the new set Ag + i will be smaller by a factor 1/2 + fig 
if zt = 1 and by a factor 1/2 — (3i if Zi = 0. Hence we expect the set to shrink by a factor of about two for 
each new edge and bitvalue for that edge, i.e., \Ag\ > 2 n ~ c ~ e . We have 

t-i 

\A e \ = \A\ ■ Pr[Zi =«!,..., Zt-t = = |A| • JJ (1/2 - , 

i=l 

and in particular 

an an I . , 

Pr[Z = z] = l[ Pr[Zt = z t | Z 1 = z l ,..., Z^ x = z t - X \ = J[ (1/2 - (-l) z <&) = M^- 

£=1 £=1 ' ' 

Hence showing that Z is close to uniformly distributed is equivalent to showing that |A Qn+ i|/|A| sw 2~ Q " 
with high probability. 

We use a result of Talagrand |Tal96j to relate the expected squared bias f3f to the size of the set Ag. 
Lemma 1 ([Tal96], Eq. (2.9)) There is an absolute constant K > 1 such that for all A C {0, l} n 

i,i£[n],i^ v 1 1 7 

where fiij = Ei xe A[xi © 5Cj — 1/2]. 

This will allow us to establish a bound showing that (3i is probably quite small if the set Ag hasn't shrunk 
too fast. We allow some more shrinking than we expect: note the '3c' instead of 'c' in the exponent below. 

Corollary 2 There is an absolute constant 7 > such that if \Ag\ > 2 n ~ 3c ~ £ , then 
(1) E[ft 2 ] < 7 (c/n) 2 and (2) Pr[|ft| > e] < 7 (^) 2 - 

Proof. Note that fixing a bitvalue for the parity of an edge means that the two bits in that edge behave as 
one bit. Accordingly, we can view the set A e as a set of strings of length m = n — (£ — 1) bits. We can upper 
bound the sum of biases over all possible new edges (excluding ones touching earlier edges) by the sum over 
all possible edges (including ones touching earlier edges): 

ieje&{ii,—,u-i,ji>—Je-i} u'6Mi¥3 

where the last inequality is by applying Lemma [I] to Ag. Dividing by the number ("~ 2 2 £1 ^) = 6(« 2 ) of 
possible new edges proves part (1). Part (2) now follows from Chebyshev's inequality. □ 



There is a threat of circularity in our proof. On the one hand we need to assume that the sets Ag are 
not too small in order to show that the biases (3g are not too large (via Corollary [21 . But on the other hand 
we need to show that the biases are not too large in order to be able to conclude that Ag is not too small. 
To deal with this problem, below we give a proof in two "passes" . The first pass is quite coarse-grained and 
shows that (with high probability) the sets At won't shrink by a factor of 2~ 2c more than what we expect. 
This allows us to apply Corollary |3 to each of the an biases during the second pass. In this second, more 
fine-grained pass we actually show that d(Z, U an ) is small. 
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5 First pass: The sets Ag probably don't shrink too much 



We can only use Corollary [3 if the condition \Ae\ > 2" 3c 1 is satisfied. We now show that with high 
probability this is indeed the case for each I simultaneously. The proof uses the following concentration 
result from |McD98| . 

Lemma 3 ([McD98j, special case of Thm. 3.7) Let S\, ...,Sk be bounded random variables satisfying 
~E[Sj\S\ = Si, . . . , Sj-i = Sj-i] = for all 1 < j < k and all values Si, . . . , s^. Then for all t, v > 



Pr 



< e- t2 / 2v + Pr 



E^ 

3=1 



Lemma 4 There is a constant Sq > such that for all < 8 < Sq, if a — (5 2 /(4Vhi n) and c — S^/n^nn) 1 ^ 4 
then with probability 99/100 over all choices of e±, . . . , e an and z = Zi, . . . , z an the following holds: for each 
£ £ [an] we have \A e \ > 2"- 3c - £ and \p t \ < 1/4. 

Proof. Note that 

e-i i-\ 

\A t \ = \A\ ■ Pr[Zi =«i,..., Z t -i = zt-i] =\A\-H (1/2 - > 2"~ c ^ ]T ( X " (" 1 ) Zl2 ^) • 

i=l i=l 

Dehne Sj = — (— l) Zi 2/?i. For the lower bound on it thus suffices to lower bound IIi=i(l + &i) ^y 2~ 2c . 
Taking logarithms, we need to show for each I 

l-\ 

E lo g(l + ^)>-2c (1) 
i=i 

Let us divide the an is into blocks of size c, i.e., for 1 < k < an/c define the fcth block Bk = {(fc — l)c + 
1, . . . , kc} (we ignore rounding for simplicity). Let E/~ be the following event: 

(a) | /3i | < 1/4 for each i £ B k and 

(b) £ ieSfc log(l + Si) > -c'/an. 

We will show below in Claim that for all Pr[->_Efc | E\, . . . , £^-1] < c/lOOan. This implies 

an /c 

PrN*, . . . , E an/c)] < £ Pr[^ | 2fc_ x ] < ^ • ^- = -. 

fc=i 

If .Ei, . • • , E an / C all hold, then from (b) for all k we have Ej=i log ( 1 + S'j ) > —k-c 2 /an > — c and in particular 
Eq. (JTJ holds whenever £ — 1 is a multiple of c. For the other I pick fc such that i — 1 g -Bfe+i and note that 
thanks to (a) we have log(l + Si) > log(l — 2(1/4)) = —1 and hence 

£-1 kc e-i t—l 

]Tl°g(l + S i )=E lo g( 1 + 5 *)+ E log(l + 5 i )>-c+ e -l>-2c. 

i=l i=l i=/cc+l z=/cc+l 

Claim 5 For all 1 < k < an/c, we have Pr[-*Ek \ E\, . . . , £*-i] < c/100an. 

Proof. Let l\ = (k — l)c be the last index in B^-i and condition on E\,.., ,Ek-i- This means that 
\At 1+ i\ > 2 n-2c_<1_1 . Let F denote the event that (a) holds for i £ B k , i.e., \(3i\ < 1/4. We want 
to show ~Pr[-iFi | Fi, . . . , Fi-i] < l/500cm for i £ B k . This will imply that (a) fails to hold only with 
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probability at most c/500an. If |/3^ 1+ i|, . . . , |/3^ 1+i _i| < 1/4 then as before Y^j= > i 1 +i l°g(l + Sj) ^ — c an d 
hence \A £l+i \ > \ A ei+1 \ ■ 2~ l ~ c > 2"- 3c -(^+ l ). We can now apply Corollary Impart 2) to show 

2 



Pr[|# 1+i | > 1/4] < 7 



4c 



167(5 2 



'Inn 



< 



1 



where we use a = S 2 /(4^/h\n) and c = <5y / ri(lnn) 1 / 4 and choose <5o small enough. 

Now, assuming (a) holds for each i £ Bk and hence the conditions of Corollary hold for each i £ Bk, 
we will show that (b) holds for Bk with probability at least 1 — 4c/500an, which will imply the claim. 

Note that log(l + Si) > Si - 2S 2 if \(3i\ < 1/4 and hence 



5>g(i+s t .)> e$-2E^=E 5 <- 8 E# 

We first bound the second term of the righthand side. Corollary [21 implies 



(2) 



E 



E# 

Lies,.. 



< c ■ ^(c/n) 2 = 7c 3 /n 2 



Let i> = c 2 /2an; this is half of what (b) allows us to lose. By Markov's inequality 



Pr 



Ea 2 



> V 



ieB k 



< Wajc/n < c/500cm 



for sufficiently large n. 

Now for the first term in the righthand side of Eq. (J2J. Conditioning on event (a) changes the (a priory 
uniform) distribution on the zi for the i £ Bk by at most c/500cm in total variation distance. This means 
that if we bound PrE igB Si < —v] under the assumption that the Zi are uniform, the true probability will 
change by at most c/500cm (see footnote If the Zj are uniform then the condition of Lemma [3] holds 
for each Si', the conditional expectations are all 0, because the sign of Si is + or — with equal probability. 
Recall that Sf — 4/3? and v — c 2 /2an. Hence by Lemma[3] (with t — v), if the Zi are uniform 



Pr 



E Si < -v 

ieB k 



< e~ v/2 + Pi 



4 E % ^ v 



ieB k 



< l/n + c/50Qcm < 2c/500cm. 



Putting everything together we upper bound the probability that (b) fails for the fcth block: 



Pr 



lo g(! + St) < -c 2 /an = -2v 

:ieB k 



< Pr 



E Si < -v 

ieB k 



Pr 



Ea 2 



> v 



i£B k 



< 4c/500cm. 



This concludes the proof of Claim 
This concludes the proof of Lemma 



6 Second pass: Z is close to uniform 

We now prove the main result, which implies the ^(n 1 / 2 ) lower bound on classical one-way communication. 
Theorem 6 There is a constant S > such that if c = <5 v / n(lnn) 1 / 4 and a = — 7f=, then d(Z, U an ) < 1/10. 
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Of course this theorem also holds if the communication of the classical protocol is c < (5n 1//2 (lnn) 1 / 4 , 
since we can always add dummy bits to a shorter message to make its length equal to exactly that value. 

Proof. We rewrite the total variation distance: 



d(Z, U a 



\ £ \Pv[Z = z] 



1 n— em \ A 



ze{o,i}° 



- (-1)*2A) - 1 



= -E 2 
2 



Jj(l- (-1)^2/3/) -1 



where E 2 denotes the expectation over uniform z. By Lemma0] with probability 99/100, for each I £ [an] 
we have \A e \ > 2 n ~ 3c - e and \fa\ < 1/4. Let us call this event E. Then 

99 1 
d(Z, U an ) < Pr[E] ■ d(Z\ E , U an ) + Prh£] • d(Z\^ E , U an ) < — ■ d{Z\ E , U an ) + —. 

Note that conditioning on E will change the (a priori uniform) distribution on the z. However, the total 
variation distance between the conditioned distribution z\e of the z and the uniform distribution is at most 
1/100, since the event E on which it is conditioned has probability at least 99/100. Hence 



d(Z\ E , U an ) 



= E 

< E 2 
= E. 



H(i - (-if-Wi) i 



-Si) 



V 1/100 
1/100, 



where 5c = —(—l) Zi 2/3i as in the previous section. We thus need to show that Y17=i l°s(l + ft) i s usually 
very close to 0. When conditioned on event E we have \ j3t\ < 1/4 and hence 



Si_ 
In 2 



> log(l + S e ) >Si- 2Sj 



It thus suffices to show that with high probability, both | Y^t=i ft I an( ^ ft? are small. This can be done 

in the same way as in the proof of Claim|31 using this time that E[^"™ x fa] < jac 2 jn — o(l). □ 
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